<meta charset="utf-8">
(#) Missing @JavascriptInterface on methods

!!! ERROR: Missing @JavascriptInterface on methods
   This is an error.

Id
:   `JavascriptInterface`
Summary
:   Missing @JavascriptInterface on methods
Severity
:   Error
Category
:   Security
Platform
:   Android
Vendor
:   Android Open Source Project
Feedback
:   https://issuetracker.google.com/issues/new?component=192708
Since
:   Initial
Affects
:   Kotlin and Java files
Editing
:   This check runs on the fly in the IDE editor
See
:   https://developer.android.com/reference/android/webkit/WebView.html#addJavascriptInterface(java.lang.Object, java.lang.String)
See
:   https://goo.gle/JavascriptInterface
Implementation
:   [Source Code](https://cs.android.com/android-studio/platform/tools/base/+/mirror-goog-studio-main:lint/libs/lint-checks/src/main/java/com/android/tools/lint/checks/JavaScriptInterfaceDetector.kt)
Tests
:   [Source Code](https://cs.android.com/android-studio/platform/tools/base/+/mirror-goog-studio-main:lint/libs/lint-tests/src/test/java/com/android/tools/lint/checks/JavaScriptInterfaceDetectorTest.kt)
Copyright Year
:   2013

As of API 17, you must annotate methods in objects registered with the
`addJavascriptInterface` method with a `@JavascriptInterface`
annotation.

(##) Example

Here is an example of lint warnings produced by this check:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~text
src/test/pkg/JavaScriptTest.java:11:Error: None of the methods in the
added interface (NonAnnotatedObject) have been annotated with
@android.webkit.JavascriptInterface; they will not be visible in API 17
[JavascriptInterface]
    webview.addJavascriptInterface(new NonAnnotatedObject(), "myobj");
            ----------------------
src/test/pkg/JavaScriptTest.java:14:Error: None of the methods in the
added interface (NonAnnotatedObject) have been annotated with
@android.webkit.JavascriptInterface; they will not be visible in API 17
[JavascriptInterface]
    webview.addJavascriptInterface(o, "myobj");
            ----------------------
src/test/pkg/JavaScriptTest.java:21:Error: None of the methods in the
added interface (NonAnnotatedObject) have been annotated with
@android.webkit.JavascriptInterface; they will not be visible in API 17
[JavascriptInterface]
    webview.addJavascriptInterface(object2, "myobj");
            ----------------------
src/test/pkg/JavaScriptTest.java:32:Error: None of the methods in the
added interface (NonAnnotatedObject) have been annotated with
@android.webkit.JavascriptInterface; they will not be visible in API 17
[JavascriptInterface]
    webview.addJavascriptInterface(t, "myobj");
            ----------------------
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Here are the relevant source files:

`src/test/pkg/AnnotatedObject.java`:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~java linenumbers
package test.pkg;

import android.webkit.JavascriptInterface;

@SuppressWarnings("ClassNameDiffersFromFileName")
public class AnnotatedObject {
    @JavascriptInterface
    public void test1() {
    }

    public void test2() {
    }

    @JavascriptInterface
    public void test3() {
    }
}
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

`src/test/pkg/InheritsFromAnnotated.java`:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~java linenumbers
package test.pkg;

import android.webkit.JavascriptInterface;

@SuppressWarnings("ClassNameDiffersFromFileName")
public class InheritsFromAnnotated extends AnnotatedObject {

    @Override
    public void test1() {
    }

    @Override
    public void test2() {
    }

}
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

`src/test/pkg/NonAnnotatedObject.java`:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~java linenumbers
package test.pkg;

@SuppressWarnings("ClassNameDiffersFromFileName")
public class NonAnnotatedObject {
    public void test1() {
    }
    public void test2() {
    }
}
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

`src/test/pkg/JavaScriptTest.java`:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~java linenumbers
package test.pkg;

import android.annotation.SuppressLint;
import android.webkit.WebView;

@SuppressWarnings({"ClassNameDiffersFromFileName", "MethodMayBeStatic"})
public class JavaScriptTest {
    public void test(WebView webview) {
        webview.addJavascriptInterface(new AnnotatedObject(), "myobj");
        webview.addJavascriptInterface(new InheritsFromAnnotated(), "myobj");
        webview.addJavascriptInterface(new NonAnnotatedObject(), "myobj");

        Object o = new NonAnnotatedObject();
        webview.addJavascriptInterface(o, "myobj");
        o = new InheritsFromAnnotated();
        webview.addJavascriptInterface(o, "myobj");
    }

    public void test(WebView webview, AnnotatedObject object1, NonAnnotatedObject object2) {
        webview.addJavascriptInterface(object1, "myobj");
        webview.addJavascriptInterface(object2, "myobj");
    }

    @SuppressLint("JavascriptInterface")
    public void testSuppressed(WebView webview) {
        webview.addJavascriptInterface(new NonAnnotatedObject(), "myobj");
    }

    public void testLaterReassignment(WebView webview) {
        Object o = new NonAnnotatedObject();
        Object t = o;
        webview.addJavascriptInterface(t, "myobj");
        o = new AnnotatedObject();
    }
}
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

You can also visit the
[source code](https://cs.android.com/android-studio/platform/tools/base/+/mirror-goog-studio-main:lint/libs/lint-tests/src/test/java/com/android/tools/lint/checks/JavaScriptInterfaceDetectorTest.kt)
for the unit tests for this check to see additional scenarios.

The above example was automatically extracted from the first unit test
found for this lint check, `JavaScriptInterfaceDetector.test`.
To report a problem with this extracted sample, visit
https://issuetracker.google.com/issues/new?component=192708.

(##) Suppressing

You can suppress false positives using one of the following mechanisms:

* Using a suppression annotation like this on the enclosing
  element:

  ```kt
  // Kotlin
  @Suppress("JavascriptInterface")
  fun method() {
     addJavascriptInterface(...)
  }
  ```

  or

  ```java
  // Java
  @SuppressWarnings("JavascriptInterface")
  void method() {
     addJavascriptInterface(...);
  }
  ```

* Using a suppression comment like this on the line above:

  ```kt
  //noinspection JavascriptInterface
  problematicStatement()
  ```

* Using a special `lint.xml` file in the source tree which turns off
  the check in that folder and any sub folder. A simple file might look
  like this:
  ```xml
  &lt;?xml version="1.0" encoding="UTF-8"?&gt;
  &lt;lint&gt;
      &lt;issue id="JavascriptInterface" severity="ignore" /&gt;
  &lt;/lint&gt;
  ```
  Instead of `ignore` you can also change the severity here, for
  example from `error` to `warning`. You can find additional
  documentation on how to filter issues by path, regular expression and
  so on
  [here](https://googlesamples.github.io/android-custom-lint-rules/usage/lintxml.md.html).

* In Gradle projects, using the DSL syntax to configure lint. For
  example, you can use something like
  ```gradle
  lintOptions {
      disable 'JavascriptInterface'
  }
  ```
  In Android projects this should be nested inside an `android { }`
  block.

* For manual invocations of `lint`, using the `--ignore` flag:
  ```
  $ lint --ignore JavascriptInterface ...`
  ```

* Last, but not least, using baselines, as discussed
  [here](https://googlesamples.github.io/android-custom-lint-rules/usage/baselines.md.html).

<!-- Markdeep: --><style class="fallback">body{visibility:hidden;white-space:pre;font-family:monospace}</style><script src="markdeep.min.js" charset="utf-8"></script><script src="https://morgan3d.github.io/markdeep/latest/markdeep.min.js" charset="utf-8"></script><script>window.alreadyProcessedMarkdeep||(document.body.style.visibility="visible")</script>